We will release the model in Q1 for sure. When a draft is complete, we intend to go over it with the nine companies who participated in the study, show them where they stand, and have a joint review period. After that we'll make a plan for bringing the model public.
This is hard work and for me it has been very rewarding. gem http://www.cigital.com/~gem ----- Original Message ----- From: Stephen de Vries <step...@twisteddelight.org> To: Gary McGraw Cc: Secure Code Mailing List <SC-L@securecoding.org> Sent: Thu Jan 15 03:35:15 2009 Subject: Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors On Jan 15, 2009, at 3:26 AM, Gary McGraw wrote: > Brian Chess, Sammy Migues and I continue to pound out the software > assurance maturity model. Expect more on that soon. Working with > a large real-world data set has really been amazing. > > For those of you just getting wind of this, see: > http://www.informit.com/articles/article.aspx?p=1271382 > http://www.informit.com/articles/article.aspx?p=1315431 Interesting articles, and they really whet the appetite for more of your maturity model. Can we expect a public/open release? Stephen > > > > On 1/14/09 5:18 PM, "Stephen de Vries" <step...@twisteddelight.org> > wrote: > > > > On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote: >> >> To all, I'll ask a more strategic question - assuming we're agreed >> that >> the Top 25 is a non-optimal means to an end, what can the software >> security community do better to raise awareness and see real-world >> change? > > From a Web Security point of view, have a look at the OWASP ASVS > project: > http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project > > Abstract: > "Whereas the OWASP Top Ten is a tool that provides web application > security awareness, the OWASP Application Security Verification > Standard (ASVS) is a commercially-workable open standard that defines > ranges in coverage and levels of rigor that can be used to perform > application security verifications > ... > The primary aim of the OWASP ASVS Project is to normalize the range in > the coverage and level of rigor available in the market when it comes > to performing application security verification using a commercially- > workable open standard. This standard can be used to establish a level > of confidence in the security of web applications." > > > regards, > Stephen > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com > ) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
